ID Theft a Taxing Question

Security worries are no match for the convenience of e-filing.

Theft of their personal information and credit card numbers are key
concerns for those who refuse to file their tax returns electronically, according to a study to be released next Monday.

This year, 30 percent of taxpayers said they would file online, and 55 percent said they would do so next year. A full 92 percent of online filers said they do it because they get their refunds faster. The survey of 2400 Internet users by TrustE, a non-profit privacy certification and education
organization, and shopping comparison site BizRate.com, was completed the
week of April 5.

The next largest segment in the survey, 27 percent, use accountants or
tax professionals who file for them, while 21 percent said they preferred
the hands-on paper approach. Fear of sending financial information over the
Internet kept 18 percent from e-filing, with another 14 percent unwilling to
risk identity theft.

Although some consumers say they're worried, actions speak louder than
words. Electronic filing is growing. More
than 300 million returns have been filed electronically since 1986,
according to the Internal Revenue Service, and it expects more than 132 million e-files in 2004
alone, a 12 percent increase from last year. Convenience, it would appear, is a stronger
motivator than fear.

Online tax preparation could also be ripe for scamming, mixing as it
does two hot pockets of fraud: identity theft and the Internet.

Between January and December 2003, the Federal Trade Commission's complaint database received
over half a million consumer fraud and identity theft complaints. Identity
theft accounted for 42 percent of those gripes, up 2 percent from the
previous year.

In September 2003 the FTC released a survey showing
that 27.3 million Americans had been victims of identity theft in the
previous five years -- 9.9 million people in 2002 alone. The FTC said ID
theft cost businesses and financial institutions nearly $48 billion that
year, while consumer victims suffered $5 billion in out-of-pocket expenses.

In another FTC survey, 6 percent of the victims said that the culprit was
someone who worked at a company or financial institution that had access to
the personal information.

The FTC also said Internet-related dodges accounted for 55 percent of all fraud in 2003, up from 45 percent the previous year. Meanwhile, the Anti-Phishing Working Group reported that financial services took the biggest hit from these scammers in
February 2004, bearing the brunt of 9.7 different phishing attacks per day.
While eBay was the subject of twice as many phishing
expeditions as any other company, the group claimed that Citibank and Fleet Bank were among the top five business victims.

Although they refuse to go into details, Web-based tax prep and e-filing
services said they maintain the utmost in security technology. "We use
the highest level encryption and security precautions," a spokesman for H&R
Block told internetnews.com. "Our security measures
are comparable to those used in online banking and trading activity." The spokesman said the Free File Alliance, the IRS and at least two private third-party
security consultants certify the company's online activities.

Mike Cavanaugh, executive director of the Free File Alliance, a
consortium of 16 companies that offer free electronic filing to some
taxpayers in addition to paid software and services, said all members
are required to have security technology and certifications from
organizations such as TrustE. Besides, he said, "Tax preparation is
different than any other business because of the standards and legal
requirements that have been imposed on them for decades. That's just as true
in the electronic sphere as in the paper sphere."

Bob Meighan, vice president of consumer advocacy for Intuit's consumer tax division, said "the companies who take privacy and
security seriously go out of their way to make sure they're protected in
every way humanly or technologically possible." He wouldn't share any of
Intuit's strategies or techniques, but in addition to those, he said, "We
use quite a number of outside consultants and firms to validate what we do,
because we know people are always trying to hack in."

While servers can be hacked, some privacy experts said e-filing is safer
than storing your tax records in your desk or your desktop computer.
Encrypted data on password-protected servers should be safe, as is sending
information over the Internet using SSL encryption, according to Beth
Givens, executive director of the Privacy Rights Clearinghouse. "I'm more
concerned about the physical theft of the tax preparer's computer," she
said.

Like it or not, universal e-filing is coming. The IRS has a mandate to
get 80 percent of all taxpayers filing electronically by 2007, while many
states already require commercial tax prep firms to get off the paper trail.

At least, consumer watchdogs have their eye on e-filing and online tax
applications. "It's a huge area of concern," said Jessica Rich, assistant
director of the FTC's Bureau of Consumer Protection. While the agency
doesn't in the abstract condemn storing data, she said, "We encourage
consumers and businesses to take many more actions to protect data." The FTC
is bringing cases against companies that misrepresent the level of security
they offer, and enforcing security mandates for financial institutions under
the Graham-Leach-Bliley Act.

Consumers Union, which worked with other organizations to get Congress to
prohibit tax software and e-filing providers from using their customers'
information for marketing other products and services, worked with the
California Department of consumer affairs to develop best practices for
these vendors.

They include keeping customers' tax data on a separate server
with limited employee access, storing it offline, so it's harder to get to,
and physically locking up the storage hardware.

Consumers Union senior attorney Gail Hillebrand said that the prevalence
of phishing expeditions in the financial services industry worries her --
and she isn't as confident in SSL as some people. "If there's anything we're
learned about the Internet," she said, "it's that anything can happen."